The worm uses WININIT.INI to avoid deleting Wsock32.dll and renaming Wsock32.mtx in Wsock32.dll. When this is done, the virus component comes in.

The Virus Component searches for antivirus programs. If it can find one, the virus decompresses the worm component, makes a copy in user's folder and executes it. The name of this file is Ie_pack.exe. After execution, Ie_pack.exe is renamed as Win32.dll. It searches for WinDir files in the current, Windows and Temp directories.